<!DOCTYPE html>
<title>Cross origin WebBundle subresource loading (error case)</title>
<link
  rel="help"
  href="https://github.com/WICG/webpackage/blob/master/explainers/subresource-loading.md"
/>
<link
  rel="help"
  href="https://html.spec.whatwg.org/multipage/#cors-settings-attribute"
/>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="../resources/test-helpers.js"></script>
<body>
  <!--
       This wpt should run on an origin different from https://www1.web-platform.test:8444/,
       from where cross-orign WebBundles are served.

       This test uses a cross-origin WebBundle,
       https://www1.web-platform.test:8444/web-bundle/resources/wbn/no-cors/cross-origin.wbn,
       which is served *without* an Access-Control-Allow-Origin response header.

       `cross-origin.wbn` includes two subresources:
       a. `resource.cors.js`, which includes an Access-Control-Allow-Origin response header.
       b. `resource.no-cors.js`, which doesn't include an Access-Control-Allow-Origin response header.
  -->
  <script>
    promise_test(async () => {
      const prefix =
        "https://www1.web-platform.test:8444/web-bundle/resources/wbn/no-cors/";
      const resources = [
        prefix + "resource.cors.js",
        prefix + "resource.no-cors.js",
      ];
      for (const crossorigin_attribute_value of [
        undefined,   // crossorigin attribute is not set
        "anonymous",
        "use-credential",
      ]) {
        const link = await addLinkAndWaitForError(
          prefix + "cross-origin.wbn",
          resources,
          crossorigin_attribute_value
        );

        // A subresource in the bundle can not be used in any case.
        for (const resource of resources) {
          await fetchAndWaitForReject(resource);
          await addScriptAndWaitForError(resource);
        }
        link.remove();
      }
    }, "Use CORS if crossorigin=anonymous or crossorigin=use-credential is specified. A cross origin bundle must not be loaded unless a server returns a valid Access-Control-Allow-Origin header.");
  </script>
</body>
